Exploring the risks and alternatives of sharing HIPAA information through text messaging.
Is text messaging HIPAA compliant? The general answer is “no”, although there are a few scenarios in which limited communication via SMS text messages may be acceptable. Nevertheless, it's not advisable.
Text messages are a simple way to communicate, after all, — especially when time is of the essence, — but healthcare providers and other covered entities subject to HIPAA's Privacy Rule must take care to limit the information they communicate via text.
The general rule is that texting may only be HIPAA compliant if a patient has given their permission in writing to receive certain information from the covered entity using text messaging. A patient might, for example, allow the physician's office to send appointment reminders via text, but not to communicate medical details. The latter is not advisable in any case, due to the fact that SMS text messages are visible to numerous parties, including cell phone carriers, government agencies, and potentially hackers. Because SMS technology is not inherently secure, it's never advisable to send highly confidential information via text message.
In fact, HIPAA guidelines call for healthcare providers to inform patients that SMS text messaging is not a secure format. If patients want to receive medical details anyway, they must provide explicit written permission to their healthcare provider or other covered entity.
At issue is the “protected health information” (PHI) of each patient safeguarded by HIPAA regulations. PHI must be secured using well-defined access controls, with full auditability and encryption that conforms to the HIPAA Security Rule. Generally, these protections are not available on traditional text messaging platforms, including iMessage and WhatsApp, for example.
HIPAA's Privacy Rule is very strict, and penalties for non-compliance can be stiff. Furthermore, ignorance of proper security protocols is no excuse. Although the Federal government's Office for Civil Rights (OCR) treats willful negligence differently than a simple lack of knowledge or awareness, — it nevertheless takes action against both.
There are some HIPAA-compliant text messaging apps on the market that sync with your electronic medical records (EMR) program and streamline text-based communications with patients. Even these should be used only with extreme caution, though, and you must have a business associate agreement (BAA) in place with the service provider. A BAA specifies the safeguards that must be in place to protect protected health information, requiring both entities to be HIPAA compliant. It is not permitted to use a texting app in conjunction with PHI unless you have a BAA in place.
Most medical offices prefer to work with a tried-and-true technology to exchange information with their fellow healthcare providers, insurance carriers, and other covered entities. Fax technology is proven to be safe from hackers and generally secure from unauthorized access, provided that covered entities adhere to some basic best practices such as including a HIPAA-compliant cover page with all outgoing faxes.
The safest communication option available is a cloud-based HIPAA-compliant fax service. Secure cloud fax combines the proven security of fax technology with ultimate convenience and flexibility, plus key features such as auditability. With Westfax's HIPAA-Compliant Healthcare Fax, medical personnel can send and receive faxes from a desktop computer or even a mobile phone. Westfax even automates the process of adding cover pages that include a HIPAA disclaimer.
Westfax understands HIPAA, so we offer standard or custom business associate agreements to suit your needs. Our servers reside in access-restricted data centers with 24/7 security, video surveillance, and biometric access control.
To learn more about HIPAA-Compliant Secure Cloud Fax, contact WestFax today to discuss your needs.